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Abstract — As social networking sites such as Facebook and 
Twitter are becoming increasingly popular, a growing number 
of malicious attacks, such as phishing and malware, are 
exploiting them. Among these attacks, social botnets have 
sophisticated infrastructure that leverages compromised users 
accounts, known as bots, to automate the creation of new social 
networking accounts for spamming and malware propagation. 
Traditional defense mechanisms are often passive and reactive 
to non-zero-day attacks. In this paper, we adopt a proactive 
approach for enhancing security in social networks by in- 
filtrating botnets with honeybots. We propose an integrated 
system named SODEXO which can be interfaced with social 
networking sites for creating deceptive honeybots and leverag- 
ing them for gaining information from botnets. We establish a 
Stackelberg game framework to capture strategic interactions 
between honeybots and botnets, and use quantitative methods to 
understand the tradeoffs of honeybots for their deployment and 
exploitation in social networks. We design a protection and alert 
system that integrates both microscopic and macroscopic mod- 
els of honeybots and optimally determines the security strategies 
for honeybots. We corroborate the proposed mechanism with 
extensive simulations and comparisons with passive defenses. 

Keywords: social networks; cyber security; game theory; bot- 
net; malware propagation; Stackelberg games 

I. Introduction 

Online social networks such as Facebook and Twitter are 
employed daily by hundreds of millions of users to commu- 
nicate with acquaintances, follow news events, and exchange 
information. The growing popularity of OSNs has led to a 
corresponding increase in spam, phishing, and malware on 
social networking sites. The fact that a user is likely to click 
on a web link that appears in a friend's Facebook message or 
Twitter feed can be leveraged by attackers who compromise 
or impersonate that individual. 

An important class of malware attacks on social networks 
is social botnets [1], [2]. In a social botnet, an infected user's 
device and social networking account are both compromised 
by installed malware. The compromised account is then used 
to send spam messages to the user's contacts, containing 
links to websites with the malware executable. As a result, 
compromising a single well-connected user could lead to 
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hundreds or thousands of additional users being targeted 
for spam, many of whom will also become members of 
the botnet and further propagate the malware. The most 
prominent example of a social botnet to date is Koobface, 
which at its peak had infected 600,000 hosts [1]. 

Current methods for mitigating malware, including social 
botnets, in social networks are primarily based on URL 
blacklisting. In this defense mechanism, links that are sus- 
pected to contain spam or malware are added to a centralized 
blacklist controlled by the owner of the social network. After 
a link has been blacklisted, the social networking site will 
no longer communicate with the IP address indicated by the 
link, even if a user clicks the link [3]. 

While blacklisting can slow the propagation of malware, 
there remain several drawbacks to this approach. First, auto- 
mated methods for blacklisting links often fail to detect spam 
and malware; one survey suggests that 73% of malicious 
links go undetected and are not added to the blacklist [4]. 
Second, automated blacklisting creates the risk of valid 
accounts and messages being classified as spam, degrading 
the user experience. Third, even for links that are correctly 
identified as pointing to malware, there is typically a large 
delay between when links are detected and blacklisted. One 
study estimates this delay as 25 days on average, while at 
the same time most clicks on malware links occur within the 
first 48 hours of posting [5]. 

A promising approach to defending against social botnets 
is through deception mechanisms. In a deceptive defense, the 
defender generates fake social network profiles that appear 
similar to real profiles and waits to receive a link to malware. 
The defender then follows the link to the malware site, 
downloads the malware executable, and runs it in a quaran- 
tined, sandbox environment. By posing as an infected node 
and interacting with the owner of the botnet, the defender 
gathers links that are reported to the blacklist either before 
or shortly after they are posted, reducing the detection time 
and increasing the success rate. Currently, however, there is 
no systematic approach to modeling social botnets and the 
effectiveness of deception, as well as designing an effective 
strategy for infiltrating the botnet and gathering information. 

In this paper, we introduce an analytical framework for 
SOcial network DEception and exploitation through hOn- 
eybots (SODEXO). Our framework has two components, 
deployment and exploitation. The deployment component 
models how decoy accounts are introduced into the online 
social network and gain access to the botnet. The exploitation 
component characterizes the behavior of the decoys and the 
botnet owner after infiltration has occurred, enabling us to 



model the effect of the decoy on the botnet operation. 

For the deployment component, we first develop a dynam- 
ical model describing the population of a social botnet over 
time. We derive the steady-state equilibria of our model and 
prove the stability of the equilibria. We then formulate the 
problem of selecting the optimal number of honeybots in 
order to maximize the information gathered from the botnet 
as a convex optimization problem. Our results are extended 
to include networks with heterogeneous node degree. 

We model the exploitation of the botnet by the honey- 
bots as a Stackelberg game between the botmaster and the 
honeybots. In the game, the botmaster allocates tasks, such 
as spam message delivery, among multiple bots based on 
their trustworthiness and capabilities. The honeybots face a 
trade-off between obtaining more information by following 
the commands of the botmaster, and the impact of those 
commands on other network users. We derive closed forms 
for the optimal strategies of both the botmaster and hon- 
eybots using Stackelberg equilibrium as a solution concept. 
We then incorporate the utility of the honeybot owner under 
the Stackelberg equilibrium in order to select an optimal 
deployment strategy. 

The paper is organized as follows. The related work 
is reviewed in Section [El] In Section UxH we describe the 
architecture of our proposed framework for deceptive de- 
fense. In Section IIVI we model the exploitation phase of the 
botnet, in which the honeybot gathers the maximum possible 
information while avoiding detection by the botmaster. In 
Section [V] we model the deployment and population dy- 
namics of the infected nodes and honeybots. Section [VI] 
describes the Protection and Alert System (PAS), which 
provides a unifying framework for controlling deployment 
and exploitation. Section [VTT1 presents our simulation results. 
Section IVIIII concludes the paper. 

II. Related Work 

Social botnets are becoming a serious threat for network 
users and managers, as they possess sophisticated infras- 
tructure that leverages compromised users accounts, known 
as bots, to automate the creation of new social networking 
accounts for spamming and malware propagation [2]. In [6], a 
honeypot-based approach is used to uncover social spammers 
in online social systems. It has been shown that social 
honeypots can be used to identify social spammers with low 
false positive rates, and that the harvested spam data contain 
signals that are strongly correlated with observable profile 
features, such as friend information and posting patterns. The 
goal of [6], however, is not to infiltrate the botnet, but to 
use honeypots to differentiate between real and spam online 
profiles. 

In [4], a zombie emulator is used to infiltrate the Koobface 
botnet to discover the identities of fraudulent and compro- 
mised social network accounts. The authors arrived at the 
conclusion that "to stem the threat of Koobface and the 
rise of social malware, social networks must advance their 
defenses beyond blacklists and actively search for Koobface 
content, potentially using infiltration as a means of early 
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Fig. 1. System architecture of honeybot deceptive mechanism in social 
networks 

detection." This insight coincides with our proactive ap- 
proach for defending social networks using deceptive social 
honeybots. 

Deception provides an effective approach for building 
proactively secure systems [7], [8]. Considerable amount 
of work can be found using deception for enhancing cyber 
security. In recent literature on intrusion detection systems, 
honeypots have been used to monitor suspicious intrusions 
[9], [10], and provide signatures of zero-day attacks [11]. In 
[12], to enhance the security of control systems in critical 
infrastructure, deception has been proposed to make the 
system more difficult for attackers to plan and execute 
successful attacks. At present, however, there has been no 
analysis on the impact of deception on malware propagation 
in social networks. 

In order to establish a formal method to evaluate the 
performance of deceptive social honeybots against botnets, 
we employ a game- and system- theoretic approach to model 
the strategic behaviors of botnets and the deployment and 
exploitations of honeybots. Such approaches have become 
pivotal for designing security mechanisms in a quantitative 
way [13]. In [14], an optimal control approach to modeling 
the maximum impact of a malware attack on a communica- 
tion network is presented. In [15], the authors have proposed 
an architecture for a collaborative intrusion detection network 
and have adopted a game-theoretic approach for designing a 
reciprocal incentive compatible resource allocation compo- 
nent of the system against free-rider and insider attacks. 

III. System Architecture 

In this section, we introduce our honeybot-based defense 
system named SODEXO for protecting social networks 
against malicious attacks. Fig. Q] illustrates the architecture 
of SODEXO. Our framework consists of two components, 
namely, honeybot deployment (HD) and honeybot exploita- 
tion (HE). HD deals with the distribution of honeybots within 
social networks and the deception mechanisms to infiltrate 
the botnet to learn and monitor the activities in botnets. 
HE aims to use the successfully infiltrated honeybots to 
collect as much information as possible from the botnet. The 
behaviors of the two blocks are coordinated by a Protection 
and Alert System (PAS), which uses the gathered information 
to generate real-time signatures and alerts for the social 
network (Fig. [2],. 



Fig. 2. Architecture of the protection and alert system 

The introduction of honeybots into a social network allows 
a proactive defense and monitoring of the social network 
against botnets. The SODEXO architecture bears its resem- 
blance to feedback control systems. The HE component 
behaves as a security sensor of the social network; PAS can 
be seen as a controller which takes the "measurements" from 
HE and yields a honeypot deployment strategy; and HD acts 
as an actuator that updates the honeypot policy designed by 
PAS. In the following subsections, we discuss in detail each 
component of SODEXO. 

A. Honeybot Deployment (HD) 

A honeypot is deployed by first creating an account on 
a social networking site. The account profile is designed to 
imitate a real user, as in [6]. Once deployed, the honeypot 
sends a set of friend requests to a set of randomly chosen 
other users. The honeypot continues sending friend requests 
to random users until the desired number of neighbors, 
denoted d, has been reached. The honeypot monitors the 
message traffic of its neighbors, which may include personal 
messages, wall posts, or Twitter feeds, and follows any 
posted link. If the link points to malware and has not been 
blacklisted, then the honeypot becomes a member of the 
social botnet and proceeds to the exploitation stage. 

B. Honeybot Exploitation (HE) 

The HE component of SODEXO takes advantage of the 
successfully infiltrated honeybots to gain as much infor- 
mation as possible from the botnet. The information is 
obtained in the form of command and control messages. The 
honeybots need to gain an appropriate level of trust from the 
bots and respond to the C&C messages while minimizing 
harm to the legitimate social network users and avoiding 
legal liability. Honeybots work collaboratively to achieve this 
goal. In the case where honeybots are commanded to send 
spam or malware to network users, they can send them to 
each other to remain active in the botnet. Depending on 
the sophistication of the botnet, honeybots can sometimes 
be detected using mechanisms described in [16], [17]. In 
this case, a higher growth rate of honeybot population will 
be needed to replace the detected honeybots. Hence, the 
performance of HE heavily depends on the effectiveness of 
HD, and in turn, HD should change its policy based on 
the sophistication of botnets and the amount of information 
learned in HE. 

C. Protection and Alert System (PAS) 

The major role of PAS is to provide security policies 
for HD based on the information learned from HE. Fig. [2] 
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Fig. 3. Illustration of the interactions between social networks and botnets 

illustrates two major functions of PAS. The first step of PAS 
is to process the messages and logs gained from honeybots. 
Using data mining and machine learning techniques, it is 
possible that the structure of botnets can be inferred from 
network traffic information [18] and botnet C&C channels in 
a local area network can be identified [19]. These information 
can be used by the network administrator to detect the 
location of botmasters and remove them from the network. 

The second important task of HD is to generate signatures 
for detecting malware and spam, which are then used to 
update the libraries of intrusion detection systems, blacklists 
of spam filters, and user alerts or recommendations. The 
process of reconfiguration of IDSs and spam filters can be 
done either offline or real-time as in [20] and [21]. 

D. Botnet Propagation Model 

Fig. [3] illustrates a mechanism used by botnets to infect 
social network users, which has been found in the Koobface 
botnet [2], [4]. The botnet maintains a fixed domain that 
bots or zombies regularly contact to report uptime statistics 
and request links for spamming activity. The bots aim to 
obtain fresh user accounts and send malicious messages. 
The bot messages contain a malicious URL obfuscated 
by shortening services such as bit.ly or wrapped by an 
innocuous website including Google Reader and Blogger. 
Clicking on the URL of these messages eventually redirects 
to a spoofed Youtube or Facebook page that attempts to trick 
the victim into installing malware masquerading as a Flash 
update. Unsuspecting users become infected by clicking on 
these messages. Infected users are recruited to spam their 
own social network friends, leading to a wide propagation 
of malware within social network users. 

Once a user has been compromised, it makes frequent 
attempts to connect with one or more command control 
(C&C) bots to retrieve commands from the botnet for further 
actions. These commands are usually issued from another 
compromised computer for the purpose of concealing the 
botmaster's real identity [16], leading to a hierarchical botnet 
architecture. Fig.|4]illustrates the structure of a typical botnet, 
where a single botmaster sends messages to two C&C bots 
and then they send to bots. 

IV. System Model for Honeybot Exploitation 

In this section, we introduce a system model for hierar- 
chical botnets and employ a Stackelberg game framework 
to model the interactions between the botnet and infiltrating 
honeybots. 



A. Theoretical Framework 

Consider a botmaster B that sends requests to a set of C&C 
bots ^# = {1,2, • • • ,m} with m = \ Each C&C bot i G M 
sends commands to a set of compromised bot nodes Jf\ with 
n\ = \ J/i\. We assume that the botnet is a three-level tree 
architecture and, without loss of generality, we can assume 
^ieJZ^i = since a single bot controlled by multiple C&C 
bots can be modeled using multiple duplicate bots. Let H be 
a honeybot that communicates with node i G ', i.e., H G JVI. 
We assume that all honeybots work together as a team, and 
hence one honeybot node H under one C& C subtree can 
conceptually represent a group of collaborative honeypots 
who have succeeded in infiltrating the same botnet. 

We let pij G R + be the number of messages or commands 
(in bytes) per second sent from C&C bot i to bot node j G JVi. 
Likewise, pp denotes the number of response messages per 
second to C&C node ; G j$ from node j G J/i. 

Each C&C node i maintains a trust value Tn G [0, 1] 
associated with a bot or honeybot node j G JVi- The trust 
values indicate the quality of response and performance 
of bot nodes. The trust values also inherently model the 
detection mechanisms in botnets, which have been discussed 
in [16], [22]. For botnets with such mechanisms, low trust 
values indicate the inefficiency of a bot or a high likelihood 
of being a honeybot. For those without such mechanisms, 
we can take 7y = 1, for all j G J/1, i.e., equivalently seeing 
all bots are all equally trusted. 

One C&C bot needs to send commands to a large pop- 
ulation of bot nodes. Hence, the goal of C&C bot i G ^ 
is to allocate its communication resources p, := [pijj G 
to maximize the utility of its subtree network Uj : — > K, 
which is the sum of utilities obtained from each bot j, i.e., 



(1) 



where C7y : K+ — > K is the individual utility of C&C bot i 
from bot j G Jfi, which is chosen to be 



Uij{pij) := TijPjMcCiPij + 1). 



(2) 



The choice of logarithmic function in (O indicates that the 
marginal utility of the C&C bot diminishes as the number of 
messages increases. It captures the fact that the bots have 
limited resources to respond to commands, and a larger 
volume of commands can overwhelm the bots, which leads to 
diminishing marginal utility of node ;. a, G is a positive 
system parameter that determines marginal utility. 

The utility of C&C bot ; is also proportional to the number 
of messages or responses per second from bot j, indicated 
by pji G K+. The number of response messages from bot j 
indicates the level of activity of a bot. We can see that when 
Pji = or Tjj = in (ff]), then bot i is believed to be either 
inactive or fake, and it is equivalently removed from the 
subtree of C&C node j in terms of the total utility ([]]). Note 
that Tjj in (O evaluates the quality of the responses while p } i 
evaluates the quantity. The product of 7y and pji captures 
the fact that the botnet values highly active and trusted bots. 

We consider the following C&C bot optimization problem 



(BOP) of every node i G 

(BOP) max I/j := Lje^JuPjiH^Pij + 1) 

s-t. Hje.A-CijPij <Ci. (3) 

The constraint (01 in (BOP) is a capacity constraint on the 
communications using C&C channel, where Q is the total 
capacity of the channel. The cost ey G R++ is the cost on 
sending commands to bots. The cost is also dependent on 
the size of messages from C&C bot i to its controlled bots. 
It has been found in [4] that Twitter has larger volume of 
spam messages than Facebook. This is due to the fact that 
Twitter messages are often shorter than facebook messages, 
and hence the cost for commanding bots spamming with 
Twitter messages is relatively less than the one for Facebook. 

Let &i := {p,- G : L/ . K<'ijPii < Q} be the feasible 
set of (BOP). We let .2; : R"l x R ->• R be the associated 
Lagrangian defined as follows: 

3?i(Pi,Xi)= £ Tijpjj\n(aipij + 1)+Xil £ cypy-C/j 

(4) 

Since the feasible set is nonempty and convex, and the 
objective function is convex in p,-, it is clear that (BOP) 
is a convex program, and hence we can use the first-order 
optimality condition to characterize the optimal solution to 
(BOP): 

v A,,,, (5) 



which leads to 



PU = 



Tij 



(6) 



XiCij at ' 

Due to the monotonicity of logarithmic functions in (O, the 
optimal solution is found on the Pareto boundary of feasible 
set. Hence by letting Y^jeJi c ijPij = Ci, we obtain Lagrangian 
multiplier A, from (O as follows. 

'LjeJY-TijPji 



A,- = - 



(7) 



We make following assumptions before stating Theorem [T] 
(Al) The product Tijpji ^ for all j e,J^,ie J( . 

Assumption (Al) states that all bots controlled by C&C 
bot ; are both active and trusted. This assumption is valid 
because for a controlled bot j that is either inactive (py = 0) 
or untrusted (Tij = 0) can be viewed as the one excluded 
from the set JVi. Hence Assumption (AO) is equivalent to 
the statement that JVi contains all active and trusted bots. 

Theorem 1: Under Assumption (Al), (BOP) admits a 
unique solution when a, is sufficiently large. 



Pa 



TijPji 



T,jeJ{ T ijPji 



1 

a,' 



(8) 



Proof: Assumption (Al) ensures that (BOP) is strictly 
convex in /?y for all j G JYi. Hence the result follows directly 
from (O and (0. Since a, is a system parameter, we can 
choose a,- sufficiently large so that the solution obtained in 



(|8j is nonnegative. ■ 

B. Stackelberg Game 

In this section, we formulate a two-stage Stackelberg 
between honeybots and C&C nodes. Honeybots behave as 
leaders who can learn the behaviors of the C&C bots once 
they succeed in infiltrating the botnet and choose the optimal 
strategies to respond to the commands from C&C bots. 

The goal of honeypots is to collect as much information 
as possible from the botmaster. We consider the following 
game between honeypots and a C&C bot. The honeypot node 
H firsts chooses a response rate pm to the commands from 
C&C bot ;, and then C&C bot i observes the response and 
chooses an optimal rate to send information to honeybot H 
according to (BOP). We make the following assumption on 
the real bots in the network. 

(A2) The real bots are not strategically interacting with the 
C&C bot ;, i.e., they send messages to bot i at a constant 
rate PijJ^HJ G -A- 

The above assumption holds because bots are non-human 
driven, pre-programmed to perform the same routine logic 
and communications as coordinated by the same botmaster 
[19]. Under Assumption (A2), the strategic interactions exist 
only between honeybots and C&C nodes. 

The honeypot node H has a certain cost when it responds 
to the botnet. This can be either because of the potential 
harm that it can cause on the system or due to the cost of 
implementing commands from the botmaster. We consider 
the following honeypot optimization problem (HOP), where 
node H aims to maximize its utility function Uh ■ xK^ 
K + as follows: 

(HOP) max U H (pm,Pm) := Hp m + £, H ) - P"p H i, 

where %n G R ++ is a positive system parameter; J3 ( - is the 
cost of honeybot H responding to the bot node i; pui is the 
message sending rate from honeybot node H to C&C bot ; 
and pHi is the rate of C&C bot i sending commands to H. 

denotes the feasible set of the honeypot node H. We 
let & H = {pm,0 < Phi < PM.max}, where pm,mia G K++ is 
a positive parameter that can be chosen to be sufficiently 
large. The logarithmic part of the utility function (0 is 
used to model the property of diminishing returns of an 
information source. The value of receiving an additional 
piece of information from the C&C bot decreases as the total 
number of messages received by the honeypot increases. 

The interactions between honeypot H and C&C node 
i can be captured by the Stackelberg game model Eg := 
((i,H), (Ui,Un), (J^,-, J^#)}, and Stackelberg equilibrium can 
be used as a solution concept to characterize the outcome of 
the game. 

Definition 1 (Stackelberg Equilibrium): Let 

Ttfui') '■ be the unique best response of the 

C&C bots to the response rate pni of the honeypots. 
An action profile (p*, p* Hj ) G x ^ H is a Stackelberg 
equilibrium if p* = TTij/ (/>#,■), an( l tne following inequality 
holds U H {ni H {p* Hi ),p* Hi ) > U H (nm(pm),Pm), Vpm G &h- 



Theorem 2: Under Assumption (Al), the nonzero-sum 
continuous-kernel Stackelberg game E$ admits a Stackelberg 
equilibrium. 

Proof: The utility function of C&C bot i is strictly 
convex for all pui ^ under Assumption (Al). Since &n 
and are compact sets, by Corollary 4.4 of [23], the game 
admits a Stackelberg equilibrium solution. ■ 
Under Assumption (Al), the unique best response %m(S) 
can be obtained from (0 for sufficiently large a, as follows: 



PiH = n iH (pHi) = C H 



TiHPHi 



TiHP 



Hi 



where = Y^j+H jeJ^'^'ijPji ^ s the number of responses 
from real bots weighted by their trust values and Ch '■ = 

Ci+or j 1 Lje.Y j c ij 
cm 

Letting % H = 1 /a, and substituting © in (HOP), we 
arrive at the following optimization problem faced by the 
honeybot node H: 

max U H (7tm{pm),Pm) ■= 

In (c H ( TiHP »\ ) +&) - fl*p a . (10) 

\ \TiHPHi+I-H J 

Theorem 3: Under Assumptions (Al) and (A2), the 
Stackelberg equilibrium solution (p*, p* Hi ) of the game Z$ 
is unique and can be found as follows: 



Pm 



C}jl-H 



2T iH (C H + Z H ) 



^ 4 Tm{Ch + £,h) 



I-hChP? 



(11) 



TiHiCn + ^H)' 

and p* H = nmipm) and Pij = n ijiPij) for j ^ HJ G 

Proof: The problem described in (TT3T > is a convex 
program with the utility function Uh convex in pni and 
convex set & ', Hence the first-order optimality condition 
yields 

ChI-hTih = 

(I-H + PHiTiH ) (CnPHi T iH + (I-H + PH.TiH )Ih), (12) 

which is a quadratic equation to be solved for pni and its 
nonnegative solution of (fT2l is given in (fTTT i. Since pni,nax 
is chosen sufficiently large and (fTTT i is non-negative, p* H is 
a feasible solution. The equilibrium solution for bot ; hence 
follows from (0. ■ 
In order to provide insights into the solution obtained in 
<fTTT >. we make the following assumptions based on common 
structures of the botnets. 

(A3) The real bots controlled by C&C bot / have identical 
features, i.e., en = c,-, pn = pi and 7/ ; - = % for all j ^ 
HJ G J/i. 

(A4) The size of the real bots controlled by C&C bot i is 

much larger than the size of honeybots. 
(A5) We let B, H = 0. 

Assumption (A5) is valid due to the freedom of choosing 



parameter t, H in (HOP). Without loss of generality, we can 
let %n = ^. and hence E,h = 0. Assumption (A3) holds if 
real bots controlled by C&C bot i are of the same type, for 
example, Windows non-expert Facebook users. These type 
of users are commonly the target of botnets. Under (A3), we 
can simplify the expressions in (fTTT i and obtain Ch = t: + 77, 
I-H = nfTipj. 

Assumption (A4) is built upon the fact that one C&C 
node in botnets often controls thousands of bots and the 
size of honeybots are often comparably small due to their 
implementation costs [24]. Under (A2), we have ^> 
PHiTiH, then ( U~3l can be rewritten as 

TiHPm 

I-H 



U H (XiH(PHi),PHi) = In [C H 



$h )-P?Pm. 



(13) 

Corollary 1: Under Assumptions (Al), (A2) and (A4), 
the Stackelberg equilibrium solution (p*, p* Hi ) of the game 
E$ is given by 



Pm 



1 



Pf CHTiH + TiH^H 



(14) 



where (•)+ = max{0,-}; p* H = n iH (p* Hi ) and p* = itijipij) 
for j^HJe^t. 

Proof: From (A4), we can rewrite ( u"2l by replacing 
I-h + PHiTiH with I-H- Since all the terms in < TT~4T > is bounded, 
we can let pHi.mzx be sufficiently large and arrive at ( TPll i. The 
result then follows from Theorem [3] ■ 
Corollary 2: Let the size of real bots under C&C be nf 
and the size of the honeybots represented by super node H 
nf. Note that «; = nf+nf. Under Assumptions (Al) - (A5), 
the Stackelberg equilibrium of the game Z$ is given by 



P*Hi = jH, Pij = Kij(Pij)> 



(15) 



for j y^HJ G jVu and the equilibrium solution of C&C node 
i is composed of two terms given by p* H — p* H s + p* H N , with 
the first term independent of nf, 



PiH.S 



T,H 



T m + p^nfTipi\ci Ok 



1 

a; 



and the second term dependent on nf, 

nfTm 



PiH.S = 



(16) 



(17) 



TiH + pPnfTiPi' 
Proof: The result immediately follows from Corollary 

[1] using (A3) and (A5). ■ 
Remark 1: From Corollary we can see that under As- 
sumption (Al), the equilibrium response strategy is inversely 
proportional to the unit cost J3 ( - . We can see that the number 
of command and control messages harvested from the botnet 
is affine in the number of successfully infiltrated honeybots. 
The growth rate of the number of messages is given by 

dp* iH _ T iH 



(18) 



dnf PfnfTiPi + Tm' 

The growth rate is dependent of the trust value 7)#. Honey- 
bots can harvest more information from the botnet if they 




Honeybots 



Fig. 4. Illustration of a hierarchical social botnet 

are more trusted. The growth rate is also dependent on the 
number of the real bots controlled by C&C bot ;. As nf — > °°, 
the growth rate r* H — > 0, i.e., size of honeybots will not affect 
the number of messages received by the network. 

Trust values can change over time and can either modeled 
by a random process or by some assessment rules adopted by 
the attacker. We can separate this into different subsections 
of discussion. We can also consider a dynamic optimization 
problem as well by having belief/trust as the state. This can 
be done through using beta or Dirichlet distributions. 

V. Model of Honeybot Deployment and Botnet 
Growth 

In what follows, a macroscopic model of the dynamics of 
the number of bots at time t, denoted x\ (t), and the number 
of honeybots, denoted X2(t), is presented. We then formulate 
an optimization problem for determining the number of 
honeypot nodes to introduce into the network. 

A. Botnet and honeypot growth models 

The bots are assumed to send spam messages, containing 
links to malware, with rate r. Each message is sent to each 
of the d neighbors of the bot, where d is the average node 
degree. Hence in each time interval dt , rd dt spam messages 
are sent. Since the number of valid nodes is N — x\ (f ), 
the number of messages reaching valid nodes is equal to 
rd^l dt. 

The number of nodes that become bots depends on the 
behavior of the valid users and the number of links that 
have been blacklisted. Each user clicks on a spam link with 
probability q. If the link has been blacklisted, then the user 
will be blocked from visiting the infected site; otherwise, the 
user's account is compromised and the device becomes part 
of the botnet. 

To determine the probability that a link has been black- 
listed, we assume that each bot is independently given a set 
of k malicious links, out of M links total. The probability 
that a given link has been given to a specific honeybot is 
therefore 4. Hence the probability that a link has not been 
blacklisted is the probability that that link has not been given 
to any honeybot, which is equal to (l — jj) 1 ■ We assume 
that: 

(A6) The number of links given to each honeybot, k, satisfies 



Under (A6), (l — j^) xi can be approximated by ^1 — ^ 

Finally, we assume that the infected devices are discovered 
and cleaned with rate Mi- This leads to dynamics 

N-Xi 



x\ (t ) = rdqx\ 



1 _ —L 
M 



N 



-Hixi. 



(19) 



Honeybot nodes are inducted into the botnet in a similar 
fashion. We make the following assumptions regarding the 
honeybot population: 
(A7) The number of honeybots that are not part of the botnet, 

denoted z, is constant. 
(A8) The number of honeybots is small compared to the total 
number of users, so that -^tt w i, . 

' z+N N 

Assumption (A7) can be guaranteed by creating new, un- 
infected honeybots when existing honeybots infiltrate the 
botnet. As with real users, honeybot nodes cannot follow 
links that have been blacklisted; however, unlike real users, 
honeybot nodes will attempt to follow any link with proba- 
bility 1 . The botmaster detects and removes honeybots with 
rate jj. 2 . The honeybot population is therefore defined by 



x 2 (t) = rdx\ 



, kx 2 \ z 



(20) 



Proposition 1: The dynamics defined by ( fT9b and ( |20t 

have two equilibria, given by (x\,x 2 ) = (0,0) and 



N\l 2 M{rdq- Mi) 



*2 



(21) 



rdq\l 2 M + rdkz\l\ " L ^+M2 
Proof: Equation dT9l reaches equilibrium if x\ =0 or 

if rdq [\ - ^jp- - Mi = 0. If X! = 0, then $M reaches 

equilibrium when x 2 = 0. 



If rdq ( 1 - 



Ml 

(EB. 



— Mi =0, solving for x\ yields 
. Substituting into (l20t gives the 



xi = Nil- 

\ rd i{ l -"-w 
equilibrium of i 

The quantity rdq corresponds to the rate at which new 
nodes are inducted into the botnet, while Ml is the rate at 
which nodes are cleaned and exit the botnet. Thus if rdq < 
Mi, then the number of bots converges to zero, while rdq > 
Ml implies that the number of bots converges to a nonzero 
steady-state value. 

Since network security policies are typically updated in- 
termittently, while the dynamics of ( fT9] l and (l20T i converge 
rapidly, we base our subsequent analysis on the steady- 
state values of x\ and x 2 , and derive the optimal number 
of honeybots to introduce into the system in steady-state. 
In order to prove that this problem is well-defined, we first 
examine the stability properties of each equilibrium in the 
following theorem. 

Theorem 4: If Mi > rdq, then {xi,x 2 ) = (0,0) is asymp- 
totically stable. If Ml < rdq, then (x^x^) is asymptotically 
stable in the limit as M — > °°, N — >• °°. 

Proof: An equilibrium point of a nonlinear dynam- 
ical system is asymptotically stable if its linearization is 
asymptotically stable at that point [25, Theorem 3.7]. The 



linearization of ( TT9l and ( f20b around (0,0) is given by 



-M2 



100 



rdq — Mi 

rdz 
N 



If Mi > rdq, then — Aqo is diagonally dominant, and hence 
has eigenvalues with positive real part [ref]. The eigenval- 
ues of Aqo therefore have negative real part, implying that 
the linearization around (0,0) is asymptotically stable. The 
linearization A x * x * around (jc* , jc| ) is given by 
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a 22 



a 2 \ 



rdkz 



rdz ( H 2 M + H\kz/q\ 



N V fiiM + rdkz J ' 



M 



1 - 
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To prove that A x * x * has eigenvalues with negative real part, 
we examine — A x * x *. The second row is clearly diagonally 
dominant, since the diagonal element is positive and the 
off-diagonal element is negative. The first row is diagonally 
dominant if 



rdqkN 
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Hirdkz + y. 2 M \ ( [i\rdkz + \l 2 M 
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(22) 



In the limit as M — > °°, the left-hand side of d22b con- 
verges to zero while the right-hand side reduces to Mi + 
rdq ^1 — -pj^J , which is positive for sufficiently large. 
Hence —A x * x * is diagonally dominant, and therefore has 
eigenvalues with positive real part, implying that (x^x^) is 
a stable equilibrium point. ■ 

B. Computation of system parameters 

The parameter ji 2 determines the rate at which honeypot 
nodes are discovered and removed by the botmaster, and 
hence can be calculated by observing the lifetime of deployed 
honeypots (see Section lVll ). Similarly, the number of received 
messages p and the cost x can be estimated by averaging 
over the set of deployed honeypots over time. The fraction of 
malicious links ^ that are given to a single bot or honeypot 
is estimated by using the assumption that links are distributed 



independently and uniformly at random by the botmaster, so 
that the probability that a given link has been received by 
a honeypot is (l — 37) 2 . This probability can be estimated 
by analyzing the set of malicious links received by new 
honeypots, which combined with knowledge of X2 enables 
computation of A. The rate at which spam messages are sent 
by bots, denoted r, is estimated by the number of instruction 
messages received by the honeypots. 

The parameters pi\ and q, equal to the rate at which bots 
are removed from the botnet, and the fraction of malicious 
links that are followed by users, depend on user behavior. 
These parameters can be estimated using existing data sets 
of user behavior [26]. Furthermore, to obtain an upper bound 
on the effectiveness of the botnet, the parameter q can be 
set equal to 1, implying that a valid user always clicks any 
link to the malware executable (the worst case). The average 
node degree, d, is estimated based on existing analyses of 
the degree distribution of social networks [27]. 



C. Extension to heterogeneous networks 

Typical social networks follow a non-uniform degree 
distribution. We present a model for the bot and honeypot 
population dynamics as follows. Let Nd denote the total 
number of users with degree d, and let xf(t) and xi(t) denote 
the number of bots and honeypots with degree d at time t . 
The average degree of the network is equal to d. We make 
the assumption that: 

(A9) The average degree of the infected users is equal to the 
average degree of the social network as a whole. 

The total number of spam messages sent by bots in time 
interval dt is equal to rdx\ dt, each of which has not been 
blacklisted with probability (l — ^J. The probability that 
the recipient of a message has degree d and has not been 
infected is equal to 



fV(degree d, not infected) 



Nd-xfdNd (Nd-xi)d 



N d dN dN 
This implies that the dynamics of x\ it) are given by 



(23) 



where Nd is the number of user accounts of degree d. 

Similarly, the probability that the recipient of a spam 
message is a honeypot node of degree d that has not been 
infected yet is ^f, where id is the number of honeybots of 
degree d that have not joined the botnet, leading to dynamics 
of xtj{t) described by 



i*(/) = ~*i(l-^J 



(24) 



rium points at xf = x\ = for all d and 
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Proof: Summing ( 1231 over d yields 

"■M-^ ('-£)("-*>-*'«. 

which implies that in steady-state we have 



x\ =N I 1 - ■ 
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(27) 



Proposition 2: The dynamics ( f23l and (124-b have equilib- 



Similarly, summing Xj{t) over d results in 
rxi ( kx 2 \ — 

which combined with d27| i gives x\ = — — '- 3 - L . The steady - 

state value ( f26b can be obtained from (1241) . Similarly, xf* can 
be obtained from (1231 . ■ 

VI. Modeling of Protection and Alert System 
(PAS) 

PAS is a coordination system that strategically deploys 
honeybots and designs security policies for social networks. 
In this section, we focus on optimal reconfiguration of hon- 
eybots as illustrated in Fig. [2] We introduce a mathematical 
framework for finding honeybot deployment strategies based 
on system models described in Sections [TV] and [V] 

A. Relations between HD and HE 

We have adopted a divide-and-conquer approach in Sec- 
tions [IV] and [V] and have modeled the behavior of each 
system independently. However, the interdependencies be- 
tween HD and HE are essential for PAS to make optimal 
security policies for the social network. The HE model in 
Section [IV] describes strategic operations of honeybots at a 
microscopic level while the HD model in Section [Vlprovides 
a macroscopic description of the population dynamics of bots 
and honeybots. These two models are interrelated through 
their parameters together with the feedback control from 
PAS. 

The interactions between bots and honeybots in the HE 
model occur on a time scale of seconds. The analysis of 
Stackelberg equilibrium in Section [IV] captures the steady- 
state equilibrium after a repeated or learning process of the 
game. Hence the equilibrium can be reached on a time scale 
of minutes. On the other hand, the population dynamics 



in HD model evolve on a larger time scale (for example, 
days). Hence, we can assume that the Stackelberg game has 
reached its equilibrium when the populations evolve at a 
macroscopic level. Decisions made at PAS are on a longer 
time scale (for example, weeks) because the processing of 
collected information, learning of bots and honeybots in 
social networks, and high-level decision on security policy 
in reality demand considerable amount of human resources 
for coordination and supervision. 

1) Trust Values and Detection Rate: The trust values 7y 
used in HE model are related to the macroscopic detection 
and removal rate /I2 in HD model. As we have pointed out 
earlier, zero trust values are equivalent to the removal of 
honeybots from the botnet. Hence we can adopt a simple 
dynamic model to describe the change of 7y over a longer 
time period (say, days). We let be the initial condition 
of the trust value. The evolution of 7y over the macroscopic 
time scale can be modeled using the following ODE: 



Mt) = -n 2 Tij(t), T,,(,°) T». 



(28) 



Note that honeybots have different initial time tf,. Hence 
from d28T i. we obtain 



1° 

'.r 



(29) 



i.e., the trust values exponentially decay with respect to the 
removal rate, a threshold can be set on. From d29l , we can 
obtain the mean life time of a honeybot is 1//I2- Macroscopic 
parameter jj.2 can be estimated by the rate of change of 
working honeybots in the botnet, which can is known to 
the system, while Tjj is a microscopic parameter and is often 
unknown directly to honeybots. With the ODE model in d28l ), 
we can use jX2 to estimate Tjj. 

2) Honeybot and Bot Populations: In Section [V] the 
populations of bots and infiltrating honeybots are denoted 
by x\ and X2, respectively, whereas in Section |IV] the bot 
size under C&C bot is nf . Under a hierarchical structure 
of botnet, illustrated in Fig. |4] the total bot and honeybot 
populations x\,x 2 are given by 



i=i i=i 



(30) 



If all C&C bots are assumed to be identical, i.e., nf =n B ,i £ 
^,nf — n ,i <E ./#, then jcf = mn B , and xi = mh H 

3) Activity Level of Bots: The rate pi in ( fT8l indicates 
the activity level of bots when they respond to or poll 
information from C&C node ;. This level of activity is 
often correlated with parameter r, the rate of sending out 
spamming messages to the social network. Assume that all 
C&C bots are assumed to be identical, i.e., pi = p,i G 
then we can let p = ar, where p is in messages/sec, r is in 
messages/sec and a E is a unitless positive parameter. 

B. Cross-Layer Optimal Honeybot Deployment 

In what follows, we first derive the optimal honeybot 
deployment when the benefit from each honeypot is mea- 
surable. We then combine the analysis of Sections |IV] and 



PVl to determine the optimal honeybot deployment, taking 
into account the behavior of the deployed nodes during the 
exploitation phase. 

The goal of the honeypot operator is to maximize the 
number of blacklisted links that are reported to the social 
network. Based on the analysis of Corollary [2] we assume 
that the number of blacklisted links is proportional to the 
number of honeypot nodes in the botnet in steady-state, x|. 
The variable is the number of honeypot nodes that have not 
yet been inducted into the botnet, z. This leads to a utility 
function given by Vjj(z) = px^iz) — t(x* 2 +z), where p and 
T represent the benefit (information gathered) and cost of 
maintaining a single honeypot node. Substituting (I2TT) yields 
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(31) 



The value of z that maximizes (|3TT l is given by the following 
proposition. 



Proposition 3: The optimum value of z is given by 
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Proof: Differentiating Vh(z) with respect to z yields 



dz 



(p-z) (rd-lf)^ 
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By inspection, is a strictly decreasing function of z, so 
that Vh(z) is strictly concave. Setting this expression equal 
to zero implies ( l32l . ■ 

Remark 2: Eq. d32b has several implications for the de- 
sign of honeybot systems. First, for malware that propagates 
rapidly (corresponding to a large rd value), fewer honeybots 
are needed, since the malware will quickly spread to the 
deployed honeybot. Second, if is large, then honeybots are 
rapidly detected and removed by the botmaster, and hence 
the cost of deploying honeybots outweighs the benefits. 

The utility function OTb can be augmented by incorporat- 
ing the impact on the exploitation phase. In particular, (fT~8b 



implies that p 



which we write as p = 



-J-t when the number of bots is sufficiently large. The utility 

<p x [ 



function Vh can then be written as 



1 



T )X 2 — TZ 



(33) 



An efficient algorithm for maximizing d33l can be derived 
using the following theorem. 

Theorem 5: The problem of selecting z to maximize Vh 



(a) 



(b) 



(c) 



Fig. 5. Simulation of our framework for a network of N = 10 users, where each user has probability q = 0.01 of following a malicious link, message are 
sent at a rate of 0.4 messages per bot per day, and infected nodes are cleaned after 5 days on average, (a) Effect of increasing the number of honeypot nodes 
on the botnet population. Deployment of a small number of honeypots can greatly reduce the number of bots present. Note that the population converges 
quickly to its equilibrium value, (b) The optimum number of bots based on for different costs T and benefits p. The total number of honeypots remains 
small for each case, (c) Effect of degree distribution on the botnet population for number of honeypots z = 5. Each network is scale-free, with exponent y 
varying between networks. A higher connectivity results in a larger number of bots. 



in ( 1351 ) is equivalent to 
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1 rdqfoM + rdkzfJ-i 
£ (rdq- /ii)jU2M 
z>0, 0<x* 2 <N, 

which is a convex program. 



Proof: The optimization problem of selecting z to 
maximize Vh can be written as 



maximize 

zeR+ 



XZ 



(37) 



If g t '(-) — T < 0, then the objective function is monotone 
decreasing in z, leading to an optimal value z = 0. To avoid 
this, we require £ x l/ z \ > leading to constraint i37\ . Using 
( ETT i. we have 
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Substituting = [x\ - ^) and <p = ( 1 - ^ ) leads to the 
objective function 



M/Ak 



C ^ NrdqQ-Hi N{rdq [i^ k A^^) 
-tx* 2 -xz (39) 



Since quadratic over linear and inverse functions are convex, 
the first two terms of ( [391 are concave, and hence Vh is 



concave. 

Finally, the fact that the objective function is increasing 
as a function of x\ and decreasing as a function of z implies 
that the constraint (f36b holds with equality at the optimum, 
so that the relationship between x\ and z in d2TT > is satisfied. 
This constraint is convex due to Proposition [3] ■ 

The convex optimization approach presented in Theorem 
[5] is used to select a honeybot deployment strategy in order 
to maximize the level of infiltration into the botnet and 
the amount of data gathered during the exploitation phase. 
Once inducted into the botnet, the honeybots follow the 
Stackelberg equilibrium strategy of Section |IV] and use the 
collected data to generate malware signatures and create 
URL blacklists. The parameters of d33l are updated in 
response to changes in botnet behavior observed during the 
exploitation phase. 

VII. Simulation Study 

We evaluated our proposed method using Matlab sim- 
ulation study, described as follows. A network consisting 
of N = 10 6 nodes was generated, with degree d = 100 
(consistent with observations of the average degree of social 
networks [27]). The rate at which malware messages are 
sent is given by r = 0.4 messages per bot day, and the 
rate at which nodes are disinfected and removed from the 
botnet is ji\ = 0.2, an average lifetime for each bot of 5 
days. These statistics are based on the empirical observations 
of [4]. Based on [5], we estimate that the probability of a user 
clicking on a spam link is given by q = 0.01. It is assumed 
that the fraction of malware links given to each bot is equal 
to k/M = 0.01. The rate at which honeybots are detected and 
removed is equal to ji2 = 0.5. In each case, we assume that 
there are 50 infected nodes and honeybots present in the 
network initially. 

The population dynamics of the bots, described by ( fl9l ) 
and d20T >. are shown in Fig. HJa). Each curve represents the 
number of infected users over time for a different level of 
honeybot activity, as described by the parameter z- In each 
case, the number of bots converges to its equilibrium value. 
The top curve (solid line) assumes z — 0, i.e. no decep- 
tion takes place and malicious links are detected through 
blacklists only. Employing deception through honeybots 



significantly reduces the botnet population, even when the 
number of honeybots is small relative to the population size. 
As additional honeybots are added, the botnet population 
continues to decline. However, the marginal benefit of adding 
a honeybot decreases as the number of honeybots grows 
large. 

The optimum number of honeybots depends on the cost of 
introducing and maintaining honeybots, denoted T, as well 
as the benefit p from each honeybot, as described in d32l i. 
The optimum number of honeybots is given in Fig. 0b). 
As the cost of introducing new honeybots is reduced, the 
optimal number of honeybots increases. In each case, the 
optimum number of honeybots remains small, at around 25 
nodes, relative to the total network population of 10 6 nodes. 

The effect of a heterogeneous degree distribution is shown 
in Fig. |5jc). The degree distribution was chosen to be scale- 
free, so that the probability that a node has degree d was 
proportional to d~Y. Hence a higher value of 7 corresponds to 
a less-connected network. The parameter 7 had a significant 
impact on the rate of propagation of the botnet, even through 
for the chosen values of 7 the average degrees of the three 
networks were similar. 

VIII. Conclusion 

In this paper, we studied the problem of defending against 
social botnet attacks through deception. We considered a 
defense mechanism in which fake honeybot accounts are 
deployed and infiltrate the botnet, impersonating infected 
users. The infiltrating honeybots gather information from 
command and control messages, which are used to form 
malware signatures or add spam links to URL blacklists. 
We introduced a framework for SOcial network Deception 
and Exploitation through hOneybots (SODEXO), which 
provides an analytical approach to modeling and designing 
social honeybot defenses. We decomposed SODEXO into 
deployment and exploitation components. 

In the deployment component, we model the population 
dynamics of the infected users and honeybots, and show 
how the infected population is affected by the number of 
honeybots introduced. We derive the steady-state populations 
of infected users and honeybots and prove the stability of 
the equilibrium point. In the exploitation component, we 
formulate a Stackelberg game between the botmaster and the 
honeybots and determine the amount of information gathered 
by the honeybot in equilibrium. The two components are 
combined in the Protection and Alert System (PAS), which 
chooses an optimal deployment strategy based on the ob- 
served behavior of the botnet and the information gathered 
by the honeybots. Our results are supported by simulation 
studies, which show that a small number of honeybots 
significantly decrease the infected population of a large social 
network. 
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